Re: patch: policy update by id

To:	"David S. Miller" <davem@xxxxxxxxxxxxx>
Subject:	Re: patch: policy update by id
From:	jamal <hadi@xxxxxxxxxx>
Date:	Wed, 27 Apr 2005 23:09:34 -0400
Cc:	Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>, netdev@xxxxxxxxxxx
In-reply-to:	<20050427194356.58a3e618.davem@xxxxxxxxxxxxx>
Organization:	unknown
References:	<1114602874.7670.4.camel@xxxxxxxxxxxxxxxxxxxxx> <1114604657.7670.22.camel@xxxxxxxxxxxxxxxxxxxxx> <1114604826.7670.24.camel@xxxxxxxxxxxxxxxxxxxxx> <20050427233924.GA22238@xxxxxxxxxxxxxxxxxxx> <1114650816.7663.13.camel@xxxxxxxxxxxxxxxxxxxxx> <20050428012135.GA22950@xxxxxxxxxxxxxxxxxxx> <20050428013014.GA23043@xxxxxxxxxxxxxxxxxxx> <1114653140.7663.36.camel@xxxxxxxxxxxxxxxxxxxxx> <20050428020754.GA23326@xxxxxxxxxxxxxxxxxxx> <20050427194356.58a3e618.davem@xxxxxxxxxxxxx>
Reply-to:	hadi@xxxxxxxxxx
Sender:	netdev-bounce@xxxxxxxxxxx

To:

"David S. Miller" <davem@xxxxxxxxxxxxx>

Subject:

Re: patch: policy update by id

From:

jamal <hadi@xxxxxxxxxx>

Date:

Wed, 27 Apr 2005 23:09:34 -0400

Cc:

Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>, netdev@xxxxxxxxxxx

In-reply-to:

<20050427194356.58a3e618.davem@xxxxxxxxxxxxx>

Organization:

unknown

References:

<1114602874.7670.4.camel@xxxxxxxxxxxxxxxxxxxxx> <1114604657.7670.22.camel@xxxxxxxxxxxxxxxxxxxxx> <1114604826.7670.24.camel@xxxxxxxxxxxxxxxxxxxxx> <20050427233924.GA22238@xxxxxxxxxxxxxxxxxxx> <1114650816.7663.13.camel@xxxxxxxxxxxxxxxxxxxxx> <20050428012135.GA22950@xxxxxxxxxxxxxxxxxxx> <20050428013014.GA23043@xxxxxxxxxxxxxxxxxxx> <1114653140.7663.36.camel@xxxxxxxxxxxxxxxxxxxxx> <20050428020754.GA23326@xxxxxxxxxxxxxxxxxxx> <20050427194356.58a3e618.davem@xxxxxxxxxxxxx>

Reply-to:

hadi@xxxxxxxxxx

Sender:

netdev-bounce@xxxxxxxxxxx

On Wed, 2005-27-04 at 19:43 -0700, David S. Miller wrote:
> On Thu, 28 Apr 2005 12:07:54 +1000
> Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> wrote:
> 
> > You know what, I actually agree with you :) But you'll need to convince
> > Dave:
> > 
> > http://www.uwsg.iu.edu/hypermail/linux/net/0305.3/0018.html
> 
> I'm willing to reneg on that position if you can convince me
> that security minded folks won't be surprised by this pseudo-
> aliasing.  For example, do firewall systems tend to support
> such priority schemes?  If so, I guess we can do it.

Well, the tc classifiers are a good example. Priorities are used 
as ambiguity resolvers. 

After reading that URL though i think either way would be fine ..

rule1:
reject ipsrc A/32 ipdst B/32 with different priorities if entered more
than once; 
** but we allow the second rule ipsrc A/24 ipdst B/24 - only thing would
probably be useful to add is ensure a different priority is used. This
may be a little involved.

BTW, a weird ambiguity resolver is iptables - it just prepends rules.

cheers,
jamal

<Prev in Thread]	Current Thread	[Next in Thread>
Re: patch: policy update by id, (continued) Re: patch: policy update by id, jamal Re: patch: policy update by id, Herbert Xu Re: patch: policy update by id, jamal Re: patch: policy update by id, David S. Miller Re: patch: policy update by id, Herbert Xu Re: patch: policy update by id, jamal Re: patch: policy update by id, Herbert Xu Re: patch: policy update by id, Thomas Graf Re: patch: policy update by id, Patrick McHardy Re: patch: policy update by id, Thomas Graf Re: patch: policy update by id, jamal <= Re: patch: policy update by id, jamal Re: patch: policy update by id, Herbert Xu Re: patch: policy update by id, jamal Re: patch: policy update by id, Patrick McHardy Re: patch: policy update by id, Jamal Hadi Salim Re: patch: policy update by id, jamal

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	Re: patch2: del/get byid, Herbert Xu
Next by Date:	Re: patch: policy update by id, jamal
Previous by Thread:	Re: patch: policy update by id, Thomas Graf
Next by Thread:	Re: patch: policy update by id, jamal
Indexes:	[Date] [Thread] [Top] [All Lists]